20 February 2012

Is Defence in Depth dead?

 “Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out" - William Boni, VP and CISO T-Mobile USA – Jan 2012.

 I am a great believer that good security comes from a multilayer approach. You don't lock your front gate and leave all the doors open, right? So why should IT security differ? This article looks at an interesting list of the "Top 20" critical security controls published recently by Centre for the Protection of National Infrastructure (CPNI). CPNI was formed from the merger of the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC), formerly part of MI5 the UK's Security Service and have responsibility for providing Information Assurance guidance for the UK's national infrastructure.

Here is the list:
  1. Inventory of Authorized and Unauthorized Devices
  2. Secure Configurations (Hardware & Software)
  3. Secure configurations for hardware and software on laptops, workstations, and servers
  4. Continual Vulnerability Assessment
  5. Malware Defenses
  6. Application Software Security
  7. Wireless Device Control
  8. Data Recovery Capability
  9. Training 
  10. Secure configurations for network devices such as firewalls, routers, and switches 
  11. Limit network ports, protocols and services
  12. Controlled use of Admin privileges
  13. Boundary Defense
  14. Maintenance and Monitoring
  15. Need to know permissions
  16. Account monitoring and control
  17. Data Loss Prevention
  18. Incident Response
  19. Secure network engineering
  20. Penetration Tests
Conclusion

Being in security for the past 4 years I have audited and tested the security defenses of 100+ organizations and I can honestly say I have never seen any one organization conducting satisfactory controls in all these areas, if any at all. Therefore, I suggest any organization review this list and either use it as a basis for their IT Security Policy (if they have one) or conduct a simple audit of their systems against this list. If you have gone as far as classifying the information that flows in and out of your organization you may want to use this list per classification.

My particular favorites are Training and Penetration Tests. This maybe a I have conducted many Social Engineering and Penetration Tests, but these really standout for me. Penetration Testing is a key indicator that the other 19 controls are working, and any tests they do not include elements of Social Engineering really are not true tests of the threats faced by organizations today. Just look at RSA.....


References:
http://www.cpni.gov.uk/advice/infosec/Critical-controls/

Posted by Anonymous at 01:58

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)